Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add benchmark to measure cost of use #292

Merged
merged 11 commits into from
Sep 30, 2024
Merged

chore: add benchmark to measure cost of use #292

merged 11 commits into from
Sep 30, 2024

Conversation

RomainMuller
Copy link
Contributor

@RomainMuller RomainMuller commented Sep 23, 2024
edited
Loading

Checking by comparing traefik/traefik (and some other projects) and DataDog/orchestrion with and without orchestrion, and posting results to the job summary (for now).

@RomainMuller RomainMuller requested a review from a team as a code owner September 23, 2024 16:03
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Sep 23, 2024
View reviewed changes
main_test.go
}

func (h *harness) exec(name string, args ...string) {
cmd := exec.Command(name, args...)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `name` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

  1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
  2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
  3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
  4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
  5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

View in Datadog  Leave us feedback  Documentation

main_test.go
orchestrionBinOnce.Do(func() {
orchestrionBin = filepath.Join(rootDir, "bin", "orchestrion.exe")

cmd := exec.Command("go", "build", fmt.Sprintf("-o=%s", orchestrionBin), rootDir)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `rootDir` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

  1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
  2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
  3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
  4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
  5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

View in Datadog  Leave us feedback  Documentation

@eliottness eliottness mentioned this pull request Sep 27, 2024
Open
@eliottness
add more benchmarks
5f1473a 
Signed-off-by: Eliott Bouhana <[email protected]>
@eliottness
misc fixes
453d075 
Signed-off-by: Eliott Bouhana <[email protected]>
eliottness and others added 2 commits September 27, 2024 15:31
@eliottness
increase timeout
e0226aa 
Signed-off-by: Eliott Bouhana <[email protected]>
@RomainMuller
Linter fix
4608529
@RomainMuller RomainMuller added this pull request to the merge queue Sep 30, 2024
Merged via the queue into main with commit 6f519f1 Sep 30, 2024
23 checks passed
@RomainMuller RomainMuller deleted the romain.marcadier/benchmark branch September 30, 2024 08:37
@codecov Codecov
Copy link

codecov bot commented Sep 30, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.77%. Comparing base (1d46913) to head (4608529).
Report is 7 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #292      +/-   ##
==========================================
- Coverage   73.80%   73.77%   -0.03%     
==========================================
  Files         145      145              
  Lines        7966     7958       -8     
==========================================
- Hits         5879     5871       -8     
  Misses       1658     1658              
  Partials      429      429
Components Coverage Δ
Generators 76.69% <ø> (ø)
Instruments 88.05% <ø> (ø)
Go Driver 72.81% <ø> (ø)
Toolexec Driver 70.88% <ø> (ø)
Aspects 71.95% <ø> (ø)
Injector 73.42% <ø> (ø)
Job Server 63.20% <ø> (ø)
Integration Test Suite 87.80% <ø> (-0.05%) ⬇️
Other 73.77% <ø> (-0.03%) ⬇️

see 3 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@eliottness eliottness eliottness approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RomainMuller @eliottness